Wireless Technologies Comparison

 

Overview

This is a report was developed to help define the many Wireless technologies today.  Some pros and cons of each technology are listed and further reference points are given.  After reading this report, you will have a better understanding of how the wireless technologies differ and some of the security implementations of each.  Consider this report a crash course and not a comprehensive study.

 

Table of Contents

Wireless Technologies Comparison. 1

Overview. 1

Table of Contents 1

Wireless LAN Network Architectures 2

Wireless Technologies 2

Infrared Wireless 2

Radio Frequency (RF) 2

Wireless Protocols 3

Wireless Application Protocol (WAP) 3

The WAP Gap. 3

Protecting WTLS WAP Gateways 4

Bluetooth. 4

Bluetooth Security Issues 4

Securing Bluetooth. 5

802.11 Current 5

Access Control 6

Wired Equivalent Privacy (WEP) 6

802.11b Security. 6

802.11 Future. 7

Top 5 Security Issues 8

1.    Eavesdropping. 8

2.    Theft or Loss of wireless devices 8

3.    Denial of Service. 8

4.    Wireless viruses 9

5.    Masquerading. 9

Wireless Cheat Sheet 10

Bluetooth vs. 802.11. 10

 


Wireless LAN Network Architectures

*      Ad-Hoc – This is peer-to-peer setup where one wireless client talks directly to another without passing through any additional access point or proxy.  A common network identifier is used for peers to communicate with each other.

*      Single Point of Access – An Access Point is used in this type of setup to connect wireless users to a wired network.  The Access Point acts like a bridge between the wireless users and the network with which they wish to connect to.  The Access Point is responsible for authenticating the wireless users via password and possibly MAC address.  The distance of the wireless system to the access point determines the network performance that user will experience.  A system that is 5 feet from the Access Point could monopolize the bandwidth from other users not so close and a system 20 feet away could experience degraded network performance.  The area surrounding the Access Point is referred to as “Basic Service Set”, or BSS.

*      Multiple Access Point – This setup allows multiple Access Points for multiple systems to access the network.  The purpose for this is for users to be able to roam between Access Points and be connected to the Access Point that is closest to them.  The Access Points “hand-off” the users info and ensures the user is getting the best network performance available.

 

Wireless Technologies

Infrared Wireless

*      2mbps

*      Can not penetrate opaque objects

*      Uses direct or diffused technology

*      Directed (Requires line of sight)

*      Diffused (Limited to short distances such as a single room)

 

Radio Frequency (RF)

  1. Most use 2.4 GHz frequency range
  2. Most popular WLAN technology
  3. Covers long ranges
  4. Includes narrowband and spread spectrum technology
  5. Previous versions ran at 2 mbps
  6. Current run at 11 mbps
  7. New standards allow use at 54 mbps

 

Wireless Protocols

Wireless Application Protocol (WAP)

*      Operates over a multitude of different wireless technologies:

*      Cellular Digital Packet Data (CDPD)

*      Code Division Multiple Access (CDMA)

*      Global System (GSM)

*      Built in security at the transport lawyer similar to SSL

*      Enables a multitude of wireless devices including cell phones and PDAs to have a common way to access the internet

 

The WAP Gap

WAP (Wireless Application Protocol) has an issue commonly referred to as the “WAP gap.”

 

WTLS

 

TLS/SSL

 
                                        

Wireless Device                                            WAP Gateway                                           Internet Server

 

*      WTLS: Wireless Transport Layer Security

*      Used in versions prior to WAP 2.0

*      Requires the WAP Gateway to decrypt WTLS transmissions and the re-encrypt as TLS/SSL

*      Sensitive data is exposed as it traverses the gateway

 

If an attacker were to compromise the gateway, they would be able to access all of the secure communications traversing the network juncture.  The wireless carrier usually controls the wireless gateway.  The user will not be able to gain any knowledge regarding the security in place at the gateway.  This setup requires that the users implicitly trust that the gateway is secure and monitored.

 

WTLS is replaced by TLS in WAP 2.0.  The gateway above is no longer needed to translate (decrypt from one standard and re-encrypt to another) since the Internet servers are able to interpret the TLS transmission directly.  All data remains encrypted as it passes through the gateway.  Since there is such a large difference in WAP technologies, the implementation of WAP 2.0 may take a long time.

 


Protecting WTLS WAP Gateways

*      Ensure the WAP Gateway never stores decrypted content on secondary media

*      Implement additional security at the higher layers

*      Secure the WAP gateway physically so that only administrators have access to the system console

*      Limit administrative access to the WAP gateway so that is not available to any remote site outside the firewall

*      Disconnect WAP application from the rest of the network

*      Add WAP devices to your PKI infrastructure

 

Bluetooth

*      Can be used to almost connect any device to another device

*      Operates at the 2.4 GHZ ISM Frequency band

*      Supports a range of 30 feet

*      Maximum bandwidth is 1 MB/s

*      Devices don’t need to be “line of sight”

*      Supports data, voice, and content-centric applications

*      Uses FHSS at up to 1600 hops per second

*      Signal hops among 79 frequencies at 1 MHz intervals for a high degree of interference immunity

*      Up to seven simultaneous connections can be established and maintained

*      Will be embedded in future versions of Microsoft Windows and Pocket PC’s

 

Each Bluetooth device stores the following:

*      48-bit unique device address

*      128-bit unique unit key

 

Each connection has a link key associated with it

The Link key is used to generate the encryption key

The link key value is chosen during connection setup for two devices that have not previously communicated.  After this is done, it is used for authentication.

 

Bluetooth Security Issues

*      The link key is not really secret, connections can be eavesdropped and deciphered

*      The encryption can be broken in some cases

*      A device’s address is unique – by tracking a particular address a person’s activities can be tracked

*      A 4-digit PIN code must be entered manually each time the device is used and this can be considered a hassle

*      To avoid the hassle of entering the 4-digit PIN code each time, the PIN code can be stored in the devices memory or hard drive creating a security vulnerability

*      The user chooses the PIN code, and the PIN code requires no type of complexity.  Users can use ‘0000’ or ‘1234’

 

Securing Bluetooth

Because most of the problems associated with Bluetooth are inherent in the Bluetooth protocol and implementation, there are few solutions available.  Best practices to date suggest:

*      Implement the necessary authentication

*      Implement the necessary encryption mechanisms at the application layer

*      Avoid the use of Unit keys, use combination keys instead

 

The Bluetooth specification defines 3 security modes:

*      Non-secure - Non-secure mode does not initiate any kind of security.

*      Service-level security - In Service-level security, security policies are defined by the access requirements of the application the user is using.

*      Link level Security – Security standards are established before the link setup is complete. 

*      Perform the bonding in an environment that is as secure as possible against eavesdroppers, and use long random Bluetooth passkeys.

*      For specific implementations and security concerning those implementations, please see the white-paper on Bluetooth security at: http://www.bluetooth.com/upload/24Security_Paper.PDF

802.11 Current

*      802.11 supports 3 physical layers

*      Infrared

*      Radio Frequency

*      FHSS-Frequency Hopping Spread Spectrum

*      DSSS-Direct Sequence Spread Spectrum

*      Technology spread into 802.11a, 802.11b, 802.11g

*      802.11b supports up to 11 Mbps at 2.4 GHz

*      802.11a supports up to 54 Mbps at 5 Ghz

*      802.11g supports up to 54 Mbps at 2.4 Ghz

*      802.11b only uses DSS which allows greater throughput but is more susceptible to radio signal interference

*      802.11a are up to 5x faster than 802.11b nets, but are not interoperable with 802.11b nets.

Access Control

*      Media Access Control (MAC) filtering

*      Perform Service Set Identifier (SSID)

 

Wired Equivalent Privacy (WEP)

*      Encrypts data with 40 or 128 bit keys

*      Automated tools exist to crack WEP encryption keys

*      Exploits weakness in RC4 key scheduling algorithm

*      AirSnort tool can compute the key in less than 1 minute of sniffing wireless communication

*      Completely passive attack making it extremely difficult to detect

*      Tools used to perform attack are freely available for download on the internet

 

802.11b Security

Problems

*      Media Access Control (MAC) address filtering – can be sniffed and spoofed.

*      Service Set Identifier (SSID) – broadcast by access points and should not be considered secret.

*      The SSID can be easily sniffed

*      WEP Encryption can be easily cracked

*      40 or 128 bit Wired Equivalent Privacy – has been broken using tools like:

*      Airsnort: http://airsnort.sourceforge.net

*      WEPCrack: http://sourceforge.net/projects/wepcrack

 

Solutions

*      Use a strong Authentication Mechanism

*      Require mutual authentication between client and server

*      Utilize end-to-end encryption at the higher protocol layers (e.g. SSH and SSL) – Using a VPN solution to replace WEP

*      Configure the Access Points to keep silent about the SSID – Disable the Access Points beacon signal and configure it to ignore anonymous request for the SSID.  

 

802.11 Future

802.11c – support for 802.11 frames

802.11d – support for 802.11 frames, new regulations

802.11e – QoS enhancements in the MAC

802.11f – Inter Access Point Protocol

802.11g – High Rate or Turbo Mode – 2.4GHz bandwidth extension to 22Mbps

802.11h – Dynamic Channel Selection and Transmit Power Control

802.11i – Security Enhancement in the MAC

802.11j – 5 GHz Globalization among IEEE, ETSI Hiperlan2, ARIB, HiSWANa


Top 5 Security Issues

Most information below was gathered from SANS, Information Security Magazine and other top information security resources.

1. Eavesdropping

a.     Issues

                                                             i.            Attackers can gain access to wireless transmissions without being close to the network. 

                                                          ii.            Difficult to detect if someone is eavesdropping

                                                        iii.            An attacker can gather critical or confidential material

b.     Protecting from Eavesdropping

                                                             i.            Use encryption like SSH, SSL, IPSec or VPN

                                                          ii.            Prevent the Access Point from broadcasting the SSID

                                                        iii.            Use authentication and access control (SSID and MAC address filtering) to prevent attackers from being able to connect to your network

2. Theft or Loss of wireless devices

a.     Risk

                                                             i.            Wireless devices can be stolen or lost

                                                          ii.            Devices can contain confidential corporate information

                                                        iii.            An Attacker can gain access to the network via a stolen device and information on that device

                                                        iv.            Data on wireless devices is stored in clear text

b.     Minimizing the Risk

                                                             i.            Audit wireless devices in your environment regularly

                                                          ii.            Develop strict guidelines and policies for connecting wireless devices to the network

1.     Personal Use Restrictions Policy

2.     Enforce a Password Policy

3.     Antivirus Policy

                                                        iii.            Encrypt the data that is stored on the wireless devices

                                                        iv.            Strong authentication

                                                           v.            Device Access Controls and Secure Configuration

3. Denial of Service

a.     Issues

                                                             i.            An attacker can jam all communications on the wireless side

                                                          ii.            Cost to perform a DOS is minimal

                                                        iii.            Attack is simple to perform and can be done from common tools easily found on the Internet

b.     Protecting against a DOS

                                                             i.            In small environments use Infrared instead of RF if possible

                                                          ii.            Operate wireless networks only from shielded buildings

                                                        iii.            A DOS attack is very difficult to defend against.  When under such an attack, locate and disable the attacking device.

4. Wireless viruses

a.     Wireless Viruses already exist

                                                             i.            Timofonica is a cell phone virus that can replicate by sending messages to randomly dialed phone numbers stored in the victim’s phonebook.

                                                          ii.            Phage is a virus that destroys all data and applications on devices running the Palm OS.

b.     Protecting Wireless devices from Malware

                                                             i.            Install an anti-virus product that is designed specifically for Wireless devices from Mcafee, Trend Micro, F-Secure, Symantec and etc.

5. Masquerading

a.     Issues

                                                             i.            Rogue clients pretend to be a legitimate endpoint  

1.     An attacker could obtain a working IP address via DHCP or by guessing

2.     A Rogue client becomes a node on the internal net behind all firewalls

                                                          ii.            Rogue Access Points could trick clients into logging in

1.     Attackers would need to place the rogue Access Points strategically to present the strongest signal

2.     This would allow an attacker to harvest critical or confidential information or authentication credentials

                                                        iii.            Difficult to detect this attack

b.     Protecting against masquerading

                                                             i.            Clients must be authenticated before being allowed to connect 

                                                          ii.            Use Strong authentication mechanisms that an attacker could not spoof like Public Key authentication

                                                        iii.            Choose authentication mechanisms that will not reveal credentials or critical or confidential information (passwords) to a rogue Access Point


Wireless Cheat Sheet

 

Protocols

Operates at

Range

Max Bandwidth

Bluetooth

2.4 GHZ

30 Feet

1 MB/s

802.11a

5 GHz

60 Feet

6-54 Mbps

802.11b

2.4 GHz

300 Feet

5.5-11 MB/s

802.11g

2.4 GHZ

300 Feet

54 Mbps

(Figure 1:Comparison)

 

 

(Figure 2: http://www.btdesigner.com/pdfs/KenNoblittComparison.pdf)

 

Bluetooth vs. 802.11

802.11

Bluetooth

fast

Cheap

Ethernet Compatible

Small transceiver

Has been around longer, more mature

Still emerging technology

Requires more handheld-sized devices or phone power than they can supply

Low Power

300 plus feet range

30 feet

Uses IP connection

 

6-54 Mbps throughput

Less than 2 Mbps throughput

(Figure 3: http://www.kerton.com/papers/BT-WF.pdf)

 

 

 

Charles Hornat

mrcorp@mrcorp.net

Copyright 2002